Method for initialising an application terminals

ABSTRACT

The method for the initialisation or extension of an application for the transmission of information associated with an application to terminals of a system with mobile data carriers, terminals and with a hierarchical authorisation system utilises application information, which is loaded onto mobile data carriers from a selected, authorised terminal. Subsequently, during the presentation of the data carriers at further terminals, the application information is transmitted to the terminals associated with the application such that thereupon the application is capable of being executed for authorised data carriers at the terminals. The terminals are also capable of being transformed into further authorised terminals for the further controlled propagation or deletion of the application information (“virus” principle).

BACKGROUND OF THE INVENTION

The invention is related to a method for the initialisation or extensionof an application, i.e. for the transmission of information associatedwith an application to terminals, resp., read—and write stations of asystem with mobile data carriers within the framework of a hierarchicalauthorisation system as well as a mobile data carrier. Systems withmobile data carriers (e.g., contact requiring and in preferencecontact-less identification media, chip cards or value cards, etc.) makeit possible for the user to carry out corresponding applications atassigned read and write stations, such as the access to services(PC—access and goods), resp., the access to protected zones, buildings,events, etc.

An example for a system of this kind with contact-less identificationmedia, resp., mobile data carriers and a hierarchical authorisationsystem is described in the WO 97/34265.

Above all in larger systems these applications time and again have to beextended, added to and modified at the various terminals, i.e., new orextended applications App have to be set-up in certain terminals. Thisrenewal and adaptation of application programs up until now is only ableto take place in two manners:

-   1. Terminals, which are connected with a central application    computer, e.g., a host computer, from there may be provided with a    new application, resp., with corresponding application programs and    information. This, however, entails high costs for the making    ready—and the operation of the online connections to the terminals.    Decentralised terminals (in the meaning of stand-alone, offline) are    not capable of being newly programmed or reprogrammed in this    manner.-   2. The terminals are individually reprogrammed by a service engineer    by the exchanging of the program memory or by the loading of a new    application program by means of a service device, which is connected    through an interface. This entails high costs for this software    changeover.

It now is the objective of the invention to find a new simple method forchanging and setting-up applications in terminals and above all also indecentralised terminals. This objective is achieved in accordance withthe invention by a method according to claim 1 and by a mobile datacarrier according to claim 28.

BRIEF SUMMARY OF THE INVENTION

In doing so, a new application App is loaded into a selected, authorisedterminal WRZ of the system. The data carriers IM are presented at theauthorised terminal, checked by it and if so required loaded with thenew application information lex. If these loaded data carriers IMex arepresented at further terminals WR of the system, then once again thedata carrier is checked by the terminal and, if the new application Appis associated with the terminal, then the application App, resp., thecorresponding application information Iex is loaded into the terminaland in the following also executed by the terminal.

The dependent claims relate to advantageous further developments of theinvention comprising particular advantages with respect to applications,security and adaptation to further conditions. In the following, theinvention is further explained on the basis of Figures and examples.

BRIEF DESCRIPTION OF THE SEVERAL VIEW OF THE DRAWINGS

FIG. 1 a, b, c are schematic representations of the method in accordancewith the invention with the transmission of a new application from anauthorised terminal WRZ to a data carrier IMex, from the data carrier toanother terminal WR and the execution of the application with furtherdata carriers IM,

FIG. 2 is a schematic representation of an evolution of the methodaccording to the invention with status feedback messages,

FIG. 3 is a schematic representation of an iterative evolution of themethod in accordance with the invention by the transformation of aterminal WR into an authorised terminal WRZ,

FIG. 4 a, b are schematic representations of the implementation of themethod according to the invention the construction of an authorisedterminal WRZ, of a data carrier IMex and of a terminal WR with thetransmitted application information Iex,

FIG. 5 a, b, c are schematic representations that illustrate thedistribution of application information to the terminals WR and to thedata carriers IMex as well as the execution of applications,

FIG. 6 is a schematic representation of a system with several authorisedterminals WRZ, data carriers IMex and terminals WR, and

FIG. 7 is a schematic representation of an example of a system accordingto FIG. 6 with initialisations of several independent applications ofindependent users, with the information flow Iex and status feedbackmessages.

DETAILED DESCRIPTION OF THE INVENTION

The FIGS. 1 a, 1 b, 1 c, 2 and 3 illustrate the method according to theinvention for the initialisation or extension of an application App,i.e., for the transmission of the application information Iex associatedwith an application App to terminals, resp., to read—and write stationsWR of a system with mobile data carriers IM, terminals WR and ahierarchical authorisation system A. The application information Iex isloaded from a selected, authorised terminal WRZ onto mobile datacarriers IMex and subsequently with the presenting of these datacarriers IMex at further terminals WR the application information Iex istransmitted to these further terminals WR associated with theapplication, so that thereupon the application App is capable of beingexecuted at these terminals WR for authorised data carriers IM and IMex.

A new or extended application App is loaded into a selected, authorisedterminal WRZ (step 10 in FIG. 1 a), e.g., into a security module SM witha security level SL-WR. As authorised terminals WRZ, in preferencerelatively central terminals are defined, which are frequented by manydifferent data carriers IM, and from which the data carriers transmitthe application information Iex onwards to the desired other terminalsWR of the system. When presenting the data carrier IMex, theauthorisation of the data carrier IMex for this application is verifiedby the authorised terminal WRZ (step 11) or vice-versa. In case of anauthorisation being present, the application, resp., the applicationinformation Iex is written to the memory of the data carrier IMex (12)as is illustrated by FIG. 1 a. Here in the data carrier IMexflag/pointers F/P are able to be set. When the data carrier subsequentlyis transmitted to further reading stations, resp., terminals WR of thesystem (13) and presented there, then between the terminal WR and thedata carrier once again a verification takes place (14). In doing so, itis also possible to check the flag/pointers F/P of the data carrier IMex(15). By the data carrier or by the terminal WR it is verified, whetherthe new application is destined for this terminal WR and to what extentcertain security requirements are fulfilled, e.g., whether the securitylevel SL-WR of the terminals WR corresponds to the new application,resp., to the security level SL-IM of the data carrier. If this is thecase, then the application information Iex is transmitted to theterminal WR (15), e.g., into a security module SM (FIG. 1 b).Subsequently further data carriers IM1, IM2, IM3, etc., may be presentedat and verified at this terminal WR (17), whereupon this new applicationApp is also able to be transmitted to the further, authorised datacarriers, e.g., IM1, IM3 by the terminal and if so required alsoexecuted on the transmitting data carrier IMex (18), (FIG. 1 c), whileon a non-authorised data carrier, e.g., IM2, the application is not ableto be executed.

The execution of an application by a terminal WR immediately followingthe transmission of this application from the data carrier IMex to theterminal WR makes possible the implementation of applications withindividual application profiles ind.

The data carrier IMex, however, is also capable of being utilised solelyas a postman for the transmission of the application information Iex,without it being destined for the application App itself (without itbeing able to execute this application itself).

By means of flag/pointers F/P, it is possible to define or to verify,whether application information Iex is present on a data carrier IMex.In particular one has to differentiate between the followingflag/pointers F/P:

-   -   Flag/pointer F/P-IMex of the data carrier IMex: A flag/pointer        IMex is primarily associated with the data carrier IMex and is        to make possible the management of application information Iex        on the data carrier.        -   A flag/pointer F/P-IMex in general refers to an application            information Iex(App) or to an application App, which for its            part contains application information Iex(App) and a            flag/pointer F/P-App.    -   Flag/pointer F/P-App of an application App on a data carrier        IMex: A flag/pointer F/P-App is primarily associated with the        application App (e.g., as part of the application App) and is to        make the management of application information lex of an        application App more easy.

Within the framework of the transmission of application information Iexbetween the elements WR, WRZ and IMex one is able to differentiatewhether these appear as active (i.e., making the application informationIex available as sender of their own accord) or passive (i.e., receivingthe application information Iex as receiver).

The utilisation, i.e., the setting of flag/pointers F/P is a possibilityfor the implementation of active elements WR, WRZ, IMex. Thus during thestep 15 (transmission of the application information Iex to the terminalWR), depending on requirements the terminal WR (active) is able torequest from the data carrier, whether application information Iex ispresent (in that, e.g., the flag/pointer F/P-IMex is checked and if sorequired evaluated) or the data carrier IMex (active) is able to informthe terminal WR, that an application information Iex is present (inthat, e.g., the flag/pointer F/P-IMex is transmitted to the terminal WRfor a possibly required evaluation). This is also applicable in analogyfor the sending back of status information Ist.

For the transmission of the application information Iex to the datacarriers IMex and for the transmission from the data carriers IMex ontothe terminals WR, an adequate authorisation is necessary. I.e., thetransmission may only take place to, resp., by authorised data carriersIMex, resp., terminals WR, for which the application is destined and insuch a manner, that the required security is assured. This authorisationis capable of being implemented in various ways and adapted, resp.,selected according to the security requirements in correspondence withthe type and the importance of the application, for example with theauthorisation rules of the security level SL-IM corresponding to thesystem A, which are associated with the data carrier IMex, and securitylevel SL-WR, which are associated with the terminals WR and whichcontrol the transmission of the new application information lex and itssubsequent execution. In doing so, it is important, that the rules ofthe authorisation system A prevent, that it is possible for a securitylevel SL-IM or SL-WR in a data carrier or in a terminal to be increasedor changed. With this, the distribution of the applications App to theterminals WR and their utilisation is checked and restricted by means ofthe data carriers IM.

It is hereby possible to define the characteristics of the securitylevel SL within the framework of the authorisation system A following orextending already present hierarchy levels, e.g., of organisation levelsOL in accordance with WO 97/34265, or by new levels (with newprinciples) independent of existing levels.

There is, however, also the possibility, that the security levels SL aredefined not within the framework of the authorisation system A, butrather within the framework of an additional, independent securityauthorisation system SA.

Further security—and controlling elements form identification data ID-IMund ID-WR or additional personal codes pers, as is further explained inFIG. 2. These may be linked with the security levels SL.

It is also possible to introduce a separate encryption cryp2 for theapplication. In doing so, the application information is encrypted withcryp2 in the authorised terminal WRZ, transmitted in encrypted form inthe data carrier IMex and the transmitted application information Iex isonly decoded again in the terminal WR with cryp2 (FIGS. 1 a, 1 b, 2). Inthis, the data carrier IMex in most cases must not to have at itsdisposal the code cryp2. This application information Iex must only becapable of being decoded in terminals WR or by data carriers IMex, towhich a corresponding application is assigned.

It is also possible, that for different independent applications App1,App2 of independent users and the assigned terminals WR also independentof one another encryptions cryp2 are selected. This encryption cryp2 ofthe application is independent of an encryption cryp1 of thecontact-less communication Rf-K in contact-less systems, as isillustrated with the example of FIG. 4.

The new applications transmitted in accordance with the invention,resp., the corresponding application information Iex are to beunderstood as application extensions Appu (Update) of existingapplications in the terminals WR or as new, not yet present applicationsAppn.

FIG. 2 illustrates the evolution of the method according to theinvention as described in FIG. 1 with status feedback messages Ist. Anew application App (Appn or Appu) is loaded into an authorised terminalWRZ from a host computer (a central station) H or from a transmissionauthorisation medium AM (step 10). There a data carrier IMex presentedis controlled (step 11) and, if it is authorised and destined for it,application information Iex is written onto the data carrier (12), whichsubsequently is transmitted to further terminals WR of the system (13).Here it is checked, whether the terminal WR is associated with the newapplication (resp., whether the data carrier IMex is associated with theterminal WR) and whether all authorisations are present, e.g., by meansof a verification of the mutual assignment of the security levels SL andof the reference-/serial numbers (step 14), whereupon the informationIex is written into, resp., transmitted to the terminal WR (15).

For the controlling of the authorisation and authentication at theauthorized terminals WRZ or at the terminals WR associated with anapplication, the data carrier IMex may contain special identificationdata ID-IM. In this manner, the data carriers IMex are able to bedefined for the transmission of selected application information Iex bymeans of identification data ID-IM.

And for the controlling of the authorisation and authentication at theterminal WR, special identification data ID-WR of the terminal are ableto serve, with which the terminals WR are defined for the receiving ofcertain application information Iex.

During the transmission of the new application information Iex to thedata carriers IMex and from the data carriers to the terminals WR, as anadditional security requirement also a personal identification of theowner of the data carrier or of the owner of the terminal with apersonal code pers (e.g., a PIN-Code or a biometric code) may beprescribed.

In order to prevent, that a newer application is inadvertentlyoverwritten by an older application, it is possible to provide a controlmechanism, e.g., with respect to time or by means of a version number.If an earlier application version App1 a initialised by a data carrierIMex has been replaced by a later, new, modified version App1 b, then itmust be prevented, that this newly installed version subsequently onceagain is capable of being replaced by the old version App1 a, e.g., ifthis old version is later presented at the terminal WR by another datacarrier IMex, which still contains the old version. It is possible toachieve this by means of a time control, e.g., by dating theapplications with respect to time and by means of the condition, that ayounger application App1 b with the point in time tb is not able to bereplaced by an older version App1 a with the point in time ta: Conditiontb>ta. Another possibility consists in a controlling by means of aversion number vn and the condition, that a younger application App1 bwith the version vb may not be deleted, resp., replaced by an olderapplication App1 with the version va: Condition vb>va.

FIG. 2 also illustrates the sending back (step 20) of status informationIst concerning occurrences at the terminals WR with regard to thetransmission of application information Iex, which are capable of beingsent back to the authorised terminal WRZ by a data carrier IMex (theone, which has transmitted the application or by another one), e.g.,concerning which application was correctly installed when in whichterminal WR. Also status information Ist concerning the execution of theinitialised application at the terminals WR are able to be sent back inthis manner. Here the sending back may be initialised at differenttimes, in preference by the terminal WR, e.g., immediately following thetransmission of the application information Iex, at a predeterminedlater point in time or following a first time execution of theapplication with a data carrier IM. The sending back of statusinformation is also capable of being employed for controlling thepropagation of the application information Iex. In this manner, thecomplete transmission of the application information Iex from the datacarrier IMex to the terminal WR is able to be made dependent on thefact, that the terminal WR transmits status information Ist to the datacarrier IMex. This may take place by means of a shadow memory, which isdescribed, e.g., in WO 97/34265.

FIGS. 2 and 4 in addition illustrate an application hardware/-softwareApp HW/SW associated with a terminal WR for the physical execution ofapplications, resp., the physical configuration of a terminal (e.g., thecontrolling of a door access). This App HW/SW may contain activefunctional devices (such as motors, relays), input devices, displaydevices, biometric sensors, etc. FIG. 2 also depicts the execution ofinitialised applications at a terminal WR with the assigned activefunctional equipment App HW/SW (step 18) for a data carrier IMex or alsofor further data carriers IM presented in the following. With a newlyinitialised application, it is also possible for a terminal to carry outfunctions, for which the terminal originally was not conceived, this tosuch an extent as the App HW/SW necessary for this is present and tosuch an extent as it is capable of being configured by applicationinformation Iex in accordance with the requirements of the newapplication.

FIG. 3 illustrates the iterative evolution of the method according tothe invention through the transformation of terminals WR into authorisedterminals WRZ, this in the meaning of a controlled propagation, resp.,deletion of new applications over several authorised terminals WRZ(virus principle). In doing so, first authorised terminals WRZJ areselected, in general within the framework of the authorisation system A,possibly also by the transformation of terminals WRi into authorisedterminals WRZj (step 9). Through these authorised terminals WRZJsubsequently the transmission of application information Iex onto datacarriers IMex and by the data carriers IMex to further terminals WR iscarried out. One or several of these terminals WR as a result of thetransmission of application information Iex may be transformed intoauthorised terminals WRZ. Subsequently the application information fromthese further authorised terminals WRZ is loaded into further datacarriers IMex, through which the application information Iex once againis transmitted to further normal terminals WR. Terminals transformedfrom a terminal WRi into an authorised terminal WRZj at any time (inpreference after the application information has been transmitted to allterminals WR of a system) are capable of being transformed back intoterminals WRi again (step 22). FIG. 3 depicts a controlled, iterativepropagation of the application information Iex of this kind. At thebeginning of the method there is the selection of an authorised terminalWRZ. This may be an authorised terminal WRZj, which within the frameworkof the system was selected right from the beginning as authorised. It isalso possible, however, to transform a terminal WRi into an authorisedterminal WRZj (step 9). The transformation into an authorised terminalWRZj may be dependent on an authorisation by means of authorisationinformation 1 a, which is carried out through a host computer H or anauthorisation medium (a data carrier) AM. If not an enabling of thefunctionality as an authorised terminal WRZ by means of releaseinformation If is to take place beforehand (as additional, optionalsecurity measure), then an authorised terminal WRZ subsequently is readyfor the acceptance of application information Iex. In the latter case,the transmission of application information Iex counts as an implicitenabling. In the first case, the enabling takes place by means ofrelease information If, in preference once again through a host computerH or an authorisation medium AM. Departing from one or from severalcentral terminals WRZ1, WRZ2, the application information Iex thereuponthrough the data carriers IM1 ex, IM2 ex is transmitted to severalterminals WRa, WRb, . . . , WRd, at which subsequently the newapplication App is capable of being executed (step 18). Selected fromthese are certain terminals, e.g., WRd, which for their part aretransformed into the status of an authorised terminal WRZd (step 21).Also through these new authorised terminals WRZd it is possible totransmit the application information Iex to further terminals WRf, . . ., WRh by means of data carriers IMex4, IMex5 in a controlled manner,possibly following the enabling by means of release information If. Forthis new authorised terminal WRZd the transmission of the releaseinformation If in preference is carried out through IMex. As is evident,for the transmission of application information Iex to the data carriersIMex4 and IMex5, no direct contact with an authorised terminal linked toa host computer H, e.g., WRZ1, is necessary. This iterative principlemay be repeated as frequently as required, e.g., the terminal WRh iscapable of being transformed into the authorised terminal WRZh. Thismakes possible the controlled transmission of the applicationinformation Iex within a system with various authorised terminals WRZ,various terminals WR and data carriers IM, resp., IMex and with this amore rapid and specific propagation of a new application within asystem.

An important aspect for the controlled propagation is the possibility oftransforming a terminal WRd, WRh into an authorised terminal WRZd, WRZh,without the terminal having to be connected with a host computer H andwithout the application information Iex having to be transmitted intothe terminal by means of an additional, special transmissionauthorisation medium AM. This leads to further cost reductions duringthe introduction, resp., initialisation of new applications, because itis possible to make do without the linking of the individual terminalsWR to the host computer H or without the transmission on site into everyindividual terminal WR by means of a transmission authorisation mediumAM. The users of a system, i.e., the holders of the identification media(data carriers) IMex, propagate a new application in the system in thesimplest possible manner: by the utilisation of the system.

In analogy to this controlled propagation in accordance with the virusprinciple, it is also possible to carry out a controlled deletion of anapplication App, independent of how and from where this application hasbeen loaded into, resp., transmitted to a terminal WR.

In this, it is also possible for a terminal WR to be transformed into anauthorised terminal WRZ only temporarily. Thus it is possible for atransformed authorised terminal WRZ (e.g., WRZd) after a certain timeperiod or on the basis of certain criteria to be transformed back into anormal terminal WRd again, e.g., after the application information Iexhas been transmitted to a predefined number of data carriers IMex or independence of certain status information Ist.

Also here it is applicable, that an authorised terminal, e.g., WRZd,does not have to transmit application information Iex to all IMex, butsolely if it is meant for this.

It is also possible, that a terminal WR is transformed into anauthorised terminal WRZ solely for the transmission of statusinformation.

The FIGS. 4 a, 4 b illustrate a structure of the components WRZ, IM andWR as well as the communication and the information flow in the methodaccording to the invention. This example shows a contact-less system Rfwith contact-less communication Rf-K between the elements Rf-WRZ,Rf-IMex, Rf-WR. In comparison with contact systems, contact-less systemsprovide further particular advantages and expanded applicationpossibilities. In this, the contact-less communication Rf-K isencrypted, e.g., by means of an encryption cryp1 by means of a unit forthe logical processing of information, e.g., a processor for thecommunication logic both in the data carriers IM as well as in theterminals WR.

The authorised terminal Rf-WRZ contains a data memory MEM as well as amicroprocessor uP-WR for the storage, resp., processing of theapplication information Iex as well as for the communication and forfurther security—and control functions. In this, the applicationinformation Iex=Idat, Ipar, Icod may contain:

-   Idat Application data, e.g., identification numbers, keys, codes for    encryption (cryp)-   Ipar Parameters, e.g., adjustable parameters for the configuration,    resp., selection of the communication, type, performance, encryption    of the communication, communication protocols, interfaces to the App    HW/SW, etc.-   Icod Program data, resp., program code.

This FIG. 4 illustrates two types of possible data carriers Rf-IMex:

One data carrier without application microprocessor uP-IM, with a memoryMEM for the application information Iex and one data carrier, which inaddition comprises an application microprocessor uP-IM. This makes itpossible, that the data carrier IMex itself is capable of executing anapplication or a part of an application. In doing so, the correspondingprogram code Icod is not transmitted to the terminal WR, but remains inthe data carrier IMex and is executed, resp., controlled by theapplication processor uP-IM of the data carrier, which with this formsan extension of the application processor uP-WR, possibly also of theApp HW/SW. The compliance with the rules of the authorisation system A,however, also in the case of an extension of this kind is carried outthrough the terminal WR, i.e., the application data Idat necessary forthis (in general that processed by the application Icod) has to be madeavailable to the terminal WR by the data carrier IMex prior to theexecution of an application.

FIG. 4 a depicts the transmission of the application informationIex=Idat, Ipar, Icod by the authorised terminal Rf-WRZ onto the datacarrier Rf-IMex and FIG. 4 b illustrates the transmission from the datacarrier RF-IMex to the terminals Rf-WR.

Die Terminals WR may contain a logical communication—and applicationinterface LCAI (Logical Communication and Application Interface),through which application information Iex is loaded into the terminalsand is capable of being read out.

The terminals WR in this example contain a logical communication—andapplication interface LCAI, which ensures, that the microprocessor ofthe terminal WR understands the application information Iex, e.g., thelanguage of the program code Icod and is capable of processing it incompliance with the rules of the authorisation system A. The logicalcommunication—and application interface LCAI comprises in essence threetasks:

-   -   In the first instance it acts as an interpreter or virtual        machine, in particular for the processing of program data Icod        and parameters Ipar,    -   secondly as an application programming interface API, in        particular for the processing of application data Idat and also        for the processing of program data Icod and parameters Ipar, in        particular of data, which is directly associated with the        application, resp., which is only understood by the application    -   and thirdly it ensures the compliance with the rules of the        authorisation system A.

The API represents a software interface for the standardised access tofunctions of a program, so that the logical rules for the execution ofthe application are complied with.

Correspondingly the writing (12) of application information Iex onto adata carrier IMex has to be carried out through the logicalcommunication—and application interface LCAI. In analogy, also thetransmission (15) of application information Iex from the data carrierIMex to a terminal WR has to be carried out through the logicalcommunication—and application interface LCAI, where in addition also thecontrolling of the security level SL may take place.

FIG. 4 a further illustrates two possibilities of transmitting theapplication information Iex in a controlled, authorised manner incompliance with the rules of the authorisation system A to an authorisedterminal WRZ for the first time. The transmission may be carried out bya transmission authorisation medium AM (which contains the applicationinformation Iex and simultaneously serves for the authorisationaccording to the authorisation system A) or by a host computer H. Incase of a transmission through the host computer H, the rules of theauthorisation system A have to be complied with in a different manner,e.g., in that the communication between the host computer H and theauthorised terminal WRZ is explicitly enabled by an authorisation mediumAM2, in preference through a contact-less communication Rf-K with theWRZ. Here already the transmission (10) of the application informationIex into the authorised terminal WRZ is able to take place through thelogical communication—and application interface LCAI of the terminal,this as an additional security measure.

The logical communication—and application interface LCAI is an importantelement for the compliance with the rules of the authorisation system Aover all levels and for all terminals WR, WRZ and data carriers IM ofthe system.

It is also possible, that terminals are provided, which do not yetcontain any application, so-called generic terminals g-WR with anapplication microprocessor uP-WR, into which an application Iex istemporarily loaded and also executed by a data carrier IMex.Subsequently this application information Iex may be deleted again. Thusin principle any data carrier IM is capable of bringing along itsapplication itself, e.g., for a one-time access or for theimplementation of applications with individual application profiles ind.

A further advantage of generic terminals g-WR consists in the fact, thatthey have to have a relatively flexible application processor uP-WR.This may be made available to a data carrier IM, IMex, which itself doesnot have an application processor uP-IM, i.e., the uP-WR is capable ofbeing utilised for the simulation of a not present uP-IM. This makespossible the simultaneous utilisation of data carriers IM, IMex with andwithout application processor uP-IM within the same system.

The FIGS. 5 a, b, c illustrate the propagation of applicationinformation lex, i.e., of application data Idat and program codes Icodto the terminals WR, WRZ and to the data carriers IM, IMex as well asthe execution (18) of applications App at the assigned functionalequipment App HW/SW under compliance with the rules of the authorisationsystem A. The application data Idat and the program codes Icod areprocessed in the terminal WR and the compliance with the authorisationrules A is controlled by the formation of a function f(A, Icod, Idat).Following the successful controlling (17) of this function, theapplication is executed in the assigned functional equipment App HW/SW(18).

FIG. 5 a describes the prior art for contact-less systems. Here a strictseparation between the program code Icod in the terminal WR and theapplication data Idat in the data carrier IM takes place. The compliancewith the authorisation rules A is carried out in the terminal WR bymeans of the determination of a function f(A, Icod, Idat) by theapplication processor uP-WR of the terminal.

FIG. 5 b describes a new possibility in accordance with the methodaccording to the invention. The up until now strict separation betweenthe program code Icod1 in the terminal WR or WRZ and the applicationdata Idat in the data carrier IMex is eliminated. Parts of the programcode Icod2 (or also the complete program code) here are contained in thedata carrier IMex. The program code Icod2 like the application data Idatis transmitted to the terminal WR, WRZ. The compliance with the rules iscarried out in the terminal WR through the determination of a functionf(A, Icod1, Icod2, Idat) with separate processing of Icod1, Icod2, or afunction f(A, Icod1+Icod2, Idat) with combined processing of Icod1 andIcod2, by the application processor uP-WR of the terminal.

FIG. 5 c describes a further new possibility, if the data carrier IMexalso has an application processor uP-IM at its disposal. In this case,in the data carrier IMex a function f1(Icod2, Idat) is able to bedetermined by the uP-IM, which may be utilised for the determination ofthe function f2 in the terminal. This function f2 may be: f2(A, f1,Icod1, Icod2, Idat) or f2(A, f1, Icod1) or in the simplest form f2(A,f1). In the simplest form, in the terminal WR, WRZ only the compliancewith the rules of the authorisation system A is carried out and there isno processing of Idat, Icod1 and Icod2 in the terminal, but only in thedata carrier IMex.

The FIGS. 5 b and 5 c make clear also the concept of the genericterminal g-WR, which is characterised by the fact, that in the terminalWR no program code Icod1 associated with an application is present, butonly a program code Icod2 in the data carrier. The FIGS. 5 b and 5 calso illustrate the basis for the implementation of applications withindividual application profiles ind, inasmuch as at the authorisedterminal WRZ both the program code Icod necessary for theindividualisation as well as the necessary application data Idat areloaded into the data carrier IMex.

FIG. 6 schematically illustrates a system according to the invention forthe initialisation of applications App by means of applicationinformation Iex, which is transported from authorised terminals WRZthrough data carriers IMex to terminals WR associated with theapplications App, written into these and also executed there. Theexample shows several central host computers H1, H2, several authorisedterminals WRZ1, WRZ2, WRZ3 and several terminals WR4-WR8. Within theframework of the authorisation system A, in principle any types ofdifferent and independent applications are capable of being initialisedthrough the authorised terminals WRZ and the data carriers IMex in thevarious assigned terminals WR in any combination required, this to suchan extent as the memory capacities are sufficient for this (FIG. 7).

FIG. 7 illustrates an example of an embodiment of a system according toFIG. 6 with three different independent applications App1, App2, App3 ofindependent users, which are transmitted to the mobile data carriersIMex from the authorised terminals WRZ1, WRZ2, WRZ3 and from these aretransmitted to assigned terminals WR4-WR8, e.g., from the WRZ1 theapplication App2 into the terminals WR4, 5, 7, from the WRZ2 theapplication App1 into the terminals WR4, 7, 8 and from the WRZ3 theapplication App3 temporarily into the terminal WR6 (as g-WR).

After the applications have been installed in the terminals WR,corresponding sending back of status information Ist by the datacarriers IMex to the authorised terminals WRZ takes place and from theseto the central host computer H, e.g.: the application App1 is installedin the terminal WR8, is sent back to WRZ3 and H.

In practice, in most instances several data carriers IMex will presentthe same application Iex to a selected terminal WR, where of course thisapplication only has to be transmitted to this terminal once. Equallythe same status information Ist with respect to the writing of a certainapplication into a selected terminal WR may be sent back by several datacarriers IMex to the authorised terminals WRZ (and to the host computerH). After all required applications have been installed in all requiredterminals WR, this application in principle is able to be deleted on thedata carriers IMex and in the authorised terminal WRZ, resp., furthertransmissions to the IMex may be stopped. And after all necessary statusinformation messages Ist have been sent back, it is also possible tostop the sending back of further status information.

The sending back of status information with respect to the execution ofapplications at the terminals WR is also capable of being continued ifso required, this to such an extent and for how long such messages arerequired.

Depending on the requirements, it is also possible, that the applicationinformation Iex is only temporarily present on the data carriers IMex,in the terminals WR and/or in the authorised terminals WRZ and and thatit is subsequently deleted. In this, the application information Iex maybe temporarily present during a predefinable time period or for acertain number or types of processes or until a certain condition hasbeen fulfilled.

Examples for the initialisation of applications in terminals accordingto the invention: These may concern new applications Appn or an updateof existing applications, which are replaced, resp., completed by amodified, extended application Appu.

One example for an update application Appu: The access to a room shalltake place by the checking of the reference number of a data carrier IM1and by the entering of a PIN-Code by the owner of this data carrier IM1.This existing application is to be extended, so that the access is onlypossible, if within a short time period (e.g., 30 seconds) a secondauthorised data carrier IM2 is presented and the PIN-Code of this secondperson is entered at the terminal. This extended application Appu isadapted in such a manner, that the checking process is respectively runthrough twice. The functional equipment App HW/SW for the physicalexecution of this application has to already be present at the terminalWR.

As a further example of an application extension Appu, an existing4-digit PIN-Code as access condition could be replaced by a 6-digitPIN-Code with the Appu.

Example of a new application Appn: The access up until now wasimplemented by checking the reference number of a data carrier IM. Now,additionally also the entering and verifying the PIN-Code of the ownerof the data carrier IM shall take place. For this purpose, through adata carrier IMex a new application Appn is installed in the terminalWR, wherein the necessary functional equipment App HW/SW is alreadypresent at the terminal or is capable of being simulated, e.g., with aPSOC (Programmable System on Chip), a module comprising a microprocessorand an analogue part, wherein the functionality of the analogue part iscapable of being defined and changed by the microprocessor withincertain limits (i.e., in the broadest sense, by means of software thehardware of the module is simulated). With new applications Appntherefore also a new and extended exploitation of existing equipment,resp., functional equipment is capable of being set-up at the terminalsWR.

The adaptation of a characteristic value of a functional device isillustrated as an example of an application by an update of anapplication Appu in combination with a re-configuration of the AppHW/SW. The application shall consist of the automatic opening of a door,in that, e.g., a relay clears a contact, a locking pin is mechanicallymoved and a motor opens the door. For the compensation of the aging andwear of these components, the terminal WR is capable of beingre-configured through application information Iex. For this purpose, anupdate of the application parameters Ipar of the functional devices(relay, motor) belonging to the App HW/SW is transmitted to the terminalWR, as a result of which the relay and the motor are operated with newreference values (e.g., with an increased current), this in order toprevent, that in case of an operation with the old reference values therelay does not clear the locking pin, resp., the door jams.

The data carriers IMex may also comprise application information Iexwith individual application profiles ind.

For example, it is possible that individual access times for everyperson are only stored on their own data carrier IM, while only thegeneral access condition is written into the terminals WR as anapplication. Or it is also possible to initialise applications Iex withan individual profile ind, which depending on the owner of the datacarrier IMex are different. For example, the access to a room is to bedifferently controlled in the terminal WR. For a certain circle ofcloser employees only the checking of the reference number of their datacarriers is necessary, while for other persons also a checking of theirPIN-Code in addition to the reference numbers is required.

Temporary access card for selective access: For an access system toproduction facilities of a daughter company in country b new accesscards are to be established, with which persons responsible from thecentral office in country a are able to carry out unannounced controlvisits in country b. For this purpose, in the central office datacarriers IMex are capable of being loaded with the correspondingapplication information Iex at an authorised terminal WRZ. In country b,the data carriers IMex are presented at the terminals there, theapplication is temporarily initialised and also executed, i.e., theaccess is permitted for the duration of the planned control visit.

A further example: An application is to consist of the access clearancefor an EDP centre, wherein the data carrier of the card owner ischecked. This access clearance is now to be tightened by a new, extendedapplication App, with which the access control additionally requires apersonal code pers (PIN-Code or biometric code) of the owner of the datacarrier. Furthermore, certain data or information is to be issued ordisplayed. If the terminal does not have a display, then there is thepossibility of attaching a display unit next to the terminal, which,e.g., like the data carrier is to communicate with the terminal in acontact-less manner. This makes it possible to make do without a cablingof the display unit (with the terminal WR or with a host computer H). Incase of an extension of this kind, the terminal has to be brought into aposition to address the display unit, i.e., the terminal, resp., itscorresponding parameters Ipar have to be reconfigured in such a manner,that the communication is possible both with a data carrier IMex as wellas with the display unit. The application information Iex required forthis purpose is transmitted into the terminal WR through a data carrierIMex. In the case of an application with an individual applicationprofile ind furthermore, e.g., on the basis of the applicationinformation Iex on the data carrier IMex it is decided, whether thedisplay unit is a component part of the application App and how it is tobe addressed by the terminal WR.

A further enhancement of the access security is capable of beinginitialised, e.g., with an additional tightening by a furtherapplication App2, with which the access is only permitted in twos, i.e,in the extended application App2 the terminal checks the data carrier ofa first person and this person's personal code and subsequently the datacarrier of a second person and that person's personal code, whereuponsolely in case of a matching of all data the access to the EDP centre isenabled.

Within the framework of this description, the following terms areutilised: H Host computer, central station A Authorisation system AMAuthorisation means, transmission - authorisation medium IM Mobile datacarrier, identification medium IMex IM for the transmission ofapplication information lex Rf Contact-less Rf-K Contact-lesscommunication WR Terminal, read - and write station WRZ Authorisedterminal, selected central terminal g-WR Generic WR App Application AppnNew application Appu Application extension, update App1, App2Independent applications ind Individual application profiles App HW/SWApplication - hardware/ - software for WR, functional equipment lexApplication information Idat Data of an application Ipar Parameters IcodProgram data, program code lex = Idat, Ipar, Icod Ist Status informationf Function with control data SL Security level SL-IM, SL-WR SL of IM,resp., of WR, WRZ ID Identification data ID-IM, ID-WR ID of IM, resp.,ID of WR, WRZ SM Security module MEM Memory, data memory API Applicationprogramming interface cryp1 Encryption of the communication cryp2Encryption of the application pers Personal data or code (PIN, biometriccode) uP-WR Microprocessor in WR for App uP-IM Microprocessor in IM forApp ta, tb Points in time va, vb Version numbers Ia Authorisationinformation F/P Flag/Pointer F/P-IMex F/P of IMex F/P-App F/P of anapplication with Iex(App) If Release information  9Transformation/conversion of WR to WRZ, selection, authorisation 10Loading new application into WRZ 11 Controlling of IMex 12 Writing oflex, setting of F/P 13 Transfer of the IMex 14 Controlling of WR, IMex15 Transmission to WR 17 Controlling of IM 18 Execution of App 20Sending back of status information 21 Transformation/conversion of WRinto WRZ 22 Retransformation of WRZ into WR

1. A method for initialisation or extension of an application (App), fortransmitting application information (Iex) associated with oneapplication (App) to terminals, said terminals being read—and writestations (WR) of a system with mobile data carriers (IM), terminals (WR)and a hierarchical authorisation system (A), comprising the steps of:selecting and authorizing certain terminals (WRZ), loading theapplication information (Iex) into mobile data carriers (IMex) by anauthorised terminal WRZ and, subsequently during presentation of saiddata carriers (IMex) to other terminals (WR), transmitting theapplication information (Iex) to these other terminals (WR) associatedwith the application, so that thereafter the application (App) forauthorised data carriers (IM) and (IMex) is capable of being executed atthese other terminals (WR).
 2. The method according to claim 1,comprising the further step of transforming a terminal (WR) into anauthorised terminal (WRZ) by means of authorisation information (Ia). 3.The method according to claim 1, wherein loading of applicationinformation (Iex) from an authorised terminal (WRZ) onto a data carrier(IMex) takes place following the enabling of the authorised terminal(WRZ) by means of release information (If).
 4. The method according toclaim 1, wherein the system comprises a contact-less communication(Rf-K) between the terminals (WR, WRZ) and the data carriers (IM, IMex).5. The method according to claim 1, wherein the application information(Iex) is capable of containing application data (Idat), applicationparameters (Ipar) and program data (Icod).
 6. The method according toclaim 1, wherein, from the mobile data carriers (IMex) statusinformation (Ist) concerning occurrences at the terminals (WR) relatingto the transmission of the application information (Iex) and to theexecution of the corresponding applications is sent back to theauthorised terminals (WRZ).
 7. The method according to claim 1, whereina terminal (WR) by means of the transmission of application information(Iex) through a data carrier (IMex) is transformed into a furtherauthorised terminal (WRZ) and that subsequently the applicationinformation (Iex) from this further authorised terminal (WRZ) is loadedonto further data carriers (IMex), through which the applicationinformation (Iex) once again is transmitted to further terminals (WR).8. The method according to claim 7, wherein a terminal (WR) istransformed into an authorised terminal (WRZ) only temporarily.
 9. Themethod according to claim 7, wherein a terminal (WR) is transformed intoan authorised terminal (WRZ) only for transmission of statusinformation.
 10. The method according to claim 1, wherein theapplication information (Iex) is only temporarily present on the datacarriers (IMex), the terminals (WR) and/or the authorised terminals(WRZ) and subsequently deleted therefrom.
 11. The method according toclaim 10, wherein the application information (Iex) is temporarilypresent for one of a predetermined time period, for a certain number ofprocesses, and for a certain type of processes.
 12. The method accordingto claim 1, wherein a control mechanism is provided, which ensures, thata newer application (Appb) in a terminal (WR) is not able to beoverwritten by an older application (Appa), which is presented at alater point in time by another data carrier (IMex).
 13. The methodaccording to claim 12, wherein the control mechanism comprises one of atime control (tb>ta) and a version control (vb>va).
 14. The methodaccording to claim 1, wherein the data carriers (IM) contain a securitylevel SL-IM and the terminals (WR) contain a security level (SL-WR),which control the transmission of the new application (App) onto thedata carriers (IMex) and into the terminals (WR) for their subsequentexecution.
 15. The method according to claim 14, wherein the securitylevels (SL) are a functional component part of the authorisation system(A) and that the rules of the authorisation system (A) prevent, asecurity level (SL-IM; SL-WR) in a data carrier (IM) or in a terminal(WR) from being increased.
 16. The method according to claim 1, whereinthe application information (Iex) for the transmission from theauthorised terminal (WRZ) to the terminals (WR) is encrypted with aseparate encryption (cryp2) and is solely capable of being decoded interminals (WR) or by data carriers (IMex), which are associated with anapplication corresponding to the application information (Iex).
 17. Themethod according to claim 1, wherein the data carriers (IMex) for thetransmission of selected application information (Iex) are defined byidentification data (ID-IM).
 18. The method according to claim 1,wherein the terminals (WR) are defined by identification data (ID-WR)for the reception of selected application information (Iex).
 19. Themethod according to claim 1, wherein, for the transmission of the newapplication (App) onto the data carriers (IMex) or from the datacarriers into the terminals (WR), as an additional security requirementa personal identification (pers) of the card owner or of the owner ofthe terminal is required.
 20. The method according to claim 1, wherein,for the transmission of the application information (Iex) or of statusinformation (Ist) the data carriers (IMex) and/or the terminals (WR) arecapable of operating actively so as to make available information (Iex,Ist) on their own).
 21. The method according to claim 1, wherein, in thedata carriers (IMex) with the transmission of application information(Iex) flag/pointers (F/P) are also set.
 22. The method according toclaim 1, wherein the data carriers (IMex) comprise an applicationsmicroprocessor (uP-IM), which in collaboration with the applicationsmicroprocessor of the terminal (uP-WR) is capable of processingapplication information (Iex).
 23. The method according to claim 1,wherein the data carriers (IMex) comprise application information (Iex)with individual application profiles (ind).
 24. The method according toclaim 1, wherein generic terminals (g-WR) with an applicationsmicroprocessor (uP-WR) are provided, in which a selected application isnot contained and into which this application is temporarily loaded by adata carrier (IMex).
 25. The met hod according to claim 1, wherein theterminals (WR) contain a logical communication—and application interface(LCAI), through which application information (Iex) is capable of beingloaded into the terminals and read out.
 26. The method according toclaim 25, wherein an application (App) is only capable of being executedfollowing the loading and reading out through the logicalcommunication—and application interface (LCAI).
 27. The method accordingto claim 25, wherein the logical communication—and application interface(LCAI) ensures the compliance with rules of the authorisation system(A).
 28. The method according to claim 25, wherein controlling of thesecurity level (SL) is carried out in the logical communication—andapplication interface (LCAI).
 29. The method according to claim 25,wherein the logical communication—and application interface (LCAI)comprises an interpreter or an application programming interface (API).30. The method according to claim 1, wherein several independentapplications (App1, App2), each respectively of independent users forassigned terminals (WR1, WR2), each respectively at assigned authorisedterminals (WRZ1, WRZ2) are loaded onto the mobile data carriers (IMex)and each respectively transmitted to corresponding assigned terminals(WR1, WR2).
 31. A mobile data carrier in a system with data carriers(IM), assigned terminals BR and a hierarchical authorisation system (A),wherein the data carrier (IMex) in a data memory contains a new orextended application (App) with application information (Iex) loadedfrom a selected, authorised terminal (WRZ), which when the data carrieris presented at further terminals WR (WR) associated with theapplication is written in and in the following is also capable of beingexecuted by the terminals.
 32. The mobile data carrier according toclaim 31, wherein the data carrier (IMex) contains applicationinformation (Iex1, Iex2) of different independent applications (App1,App2), which are capable of being transmitted to different assignedterminals (WR1, WR2).
 33. A system mobile data carriers (IM), terminals(WR) and a hierarchical authorisation system (A), comprising at leastone selected, authorised terminal (WRZ), at which new or extendedapplications (App) with application information (Iex) are loaded ontothe data carrier (IMex), which information (Iex) at further terminals(WR) associated with the application (App) is written into these and isalso executed by the terminals.